Security Incident

April 13, 2011

Matt

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.

Email Newsletter

Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.

Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.

So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?

This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.

Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.

I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.

Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.

I feel safe with WordPress.com, and I couldn’t be happier with the service.

Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.

Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.

Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.

By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?

I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??

What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!

Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.

One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.